Chris Wysopal

Chris Wysopal
Chris Wysopal
Born	1 December 1965 (age 58); New Haven, Connecticut, US
Citizenship	American
Alma mater	Rensselaer Polytechnic Institute
Occupation(s)	Entrepreneur, CTO, Security researcher
Known for	Software Security
Spouse	Debra Wysopal m. 2008
Children	3

Last updated April 30, 2024

Chris Wysopal (also known as Weld Pond^[1]) is an entrepreneur, computer security expert and co-founder and CTO of Veracode.^[2] He was a member of the high-profile hacker think tank the L0pht where he was a vulnerability researcher.

Career

He was the seventh member to join the L0pht. His development projects there included Netcat and L0phtCrack for Windows. He was also webmaster/graphic designer for the L0pht website and for Hacker News Network, the first hacker blog. He researched and published security advisories on vulnerabilities in Microsoft Windows, Lotus Domino, Microsoft IIS, and ColdFusion. Weld was one of the seven L0pht members who testified before a Senate committee in 1998 that they could bring down the Internet in 30 minutes.^[3] When L0pht was acquired by @stake in 1999 he became the manager of @stake's Research Group and later @stake's Vice President of Research and Development. In 2004 when @stake was acquired by Symantec he became its Director of Development. In 2006 he founded Veracode with Christien Rioux and serves as CTO. In 2017 Veracode was acquired by CA Technology for $614M.^[4] Veracode was subsequently spun out and became independent once again by being purchased by Thoma Bravo for $950M.^[5] Wysopal continues to serve as CTO.

In 2018 Wysopal joined the Humanyze board of directors.^[6]

Wysopal was instrumental in developing industry guidelines for responsible disclosure of software vulnerabilities. He was a contributor to RFPolicy, the first vulnerability disclosure policy. Together with Steve Christey of MITRE he proposed an IETF RFC titled "Responsible Vulnerability Disclosure Process" in 2002. The process was eventually rejected by the IETF as not within their purview but the process did become the foundation for Organization for Internet Safety, an industry group bringing together software vendors and security researchers of which he was a founder. In 2001 he founded the non-profit full disclosure mailing list VulnWatch for which was moderator. In 2003 he testified before a United States House of Representatives subcommittee on the topic of vulnerability research and disclosure.

In 2008, Wysopal was recognized for his achievements in the IT industry by being named one of the 100 Most Influential People in IT by eWeek ^[7] and selected as one of the InfoWorld CTO 25.^[8] In 2010, he was named a SANS Security Thought Leader.^[9] In 2012, he began serving on the Black Hat Review Board. He was named one of the Top 25 Disruptors of 2013 by Computer Reseller News.^[10] In 2014, he was named one of 5 Security Thought Leaders by SC Magazine.^[11] In 2023, Chris was named a Cybersecurity Visionary by CyberScoop.^[12]

Patents

U.S. Patent 10,275,600, Assessment and analysis of software security flaws

U.S. Patent 9,672,355, Automated behavioral and static analysis using an instrumented sandbox and machine learning classification for mobile security

U.S. Patent 8,613,080, Assessment and analysis of software security flaws in virtual machines

Publications

Wysopal, Chris; Lucas Nelson; Dino Dai Zovi; Elfriede Dustin (November 1, 2006). The Art of Software Security Testing. Addison-Wesley. ISBN 0321304861.
Shostack, Adam (February 17, 2014). Chris Wysopal (ed.). Threat Modeling: Designing for Security. Wiley. ISBN 978-1118809990.
Wysopal, Chris; Geer, Dan (August 2013). For Good Measure: Security Debt. ;login: The USENIX Magazine.
Wysopal, Chris (September, 2012). Software Security Varies Greatly. Datenschutz und Datensicherheit - DuD.
Wysopal, Chris; Shields, Tyler; Eng, Chris (February 24, 2010). Static Detection of Application Backdoors. Datenschutz und Datensicherheit - DuD.

Related Research Articles

Computer security, cybersecurity, digital security or information technology security is the protection of computer systems and networks from attacks by malicious actors that may result in unauthorized information disclosure, theft of, or damage to hardware, software, or data, as well as from the disruption or misdirection of the services they provide.

In the field of computer security, independent researchers often discover flaws in software that can be abused to cause unintended behaviour; these flaws are called vulnerabilities. The process by which the analysis of these vulnerabilities is shared with third parties is the subject of much debate, and is referred to as the researcher's disclosure policy. Full disclosure is the practice of publishing analysis of software vulnerabilities as early as possible, making the data accessible to everyone without restriction. The primary purpose of widely disseminating information about vulnerabilities is so that potential victims are as knowledgeable as those who attack them.

L0pht Heavy Industries was a hacker collective active between 1992 and 2000 and located in the Boston, Massachusetts area. The L0pht was one of the first viable hackerspaces in the US, and a pioneer of responsible disclosure. The group famously testified in front of Congress in 1998 on the topic of ‘Weak Computer Security in Government’.

L0phtCrack is a password auditing and recovery application originally produced by Mudge from L0pht Heavy Industries. It is used to test password strength and sometimes to recover lost Microsoft Windows passwords, by using dictionary, brute-force, hybrid attacks, and rainbow tables.

A grey hat is a computer hacker or computer security expert who may sometimes violate laws or typical ethical standards, but usually does not have the malicious intent typical of a black hat hacker.

Christien Rioux, also known by his handle DilDog, is the co-founder and chief scientist for the Burlington, Massachusetts based company Veracode, for which he is the main patent holder.

Peiter C. Zatko, better known as Mudge, is an American network security expert, open source programmer, writer, and hacker. He was the most prominent member of the high-profile hacker think tank the L0pht as well as the computer and culture hacking cooperative the Cult of the Dead Cow.

ATstake, Inc. was a computer security professional services company in Cambridge, Massachusetts, United States. It was founded in 1999 by Battery Ventures and Ted Julian. Its initial core team of technologists included Dan Geer and the east coast security team from Cambridge Technology Partners.

In computer security, coordinated vulnerability disclosure is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue. This coordination distinguishes the CVD model from the "full disclosure" model.

A zero-day is a vulnerability or security hole in a computer system unknown to its owners, developers or anyone capable of mitigating it. Until the vulnerability is remedied, threat actors can exploit it in a zero-day exploit, or zero-day attack.

Veracode is an application security company based in Burlington, Massachusetts. Founded in 2006, it provides SaaS application security that integrates application analysis into development pipelines.

In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.

Mark Edwin Kriegsman is an American entrepreneur, computer programmer, inventor, writer, and former Director of Engineering at Veracode.

A bug bounty program is a deal offered by many websites, organizations, and software developers by which individuals can receive recognition and compensation for reporting bugs, especially those pertaining to security exploits and vulnerabilities.

Project Zero is a team of security analysts employed by Google tasked with finding zero-day vulnerabilities. It was announced on 15 July 2014.

SourceClear or SRC:CLR was an American software company with its namesake security tool for software developers. SourceClear focused on open-source software development, plugging into developers' existing workflows and examining security risks of open-source and third-party code in real time. The company was headquartered in San Francisco, California with an office in Singapore. It had customers in the technology, social media, retail, finance, and defense industries. In October 2015, it announced a $10 million Series A round of funding. In 2018 it was acquired by CA Technologies; after which it was folded into Veracode.

Katie Moussouris is an American computer security researcher, entrepreneur, and pioneer in vulnerability disclosure, and is best known for her ongoing work advocating responsible security research. Previously a member of @stake, she created the bug bounty program at Microsoft and was directly involved in creating the U.S. Department of Defense's first bug bounty program for hackers. She previously served as Chief Policy Officer at HackerOne, a vulnerability disclosure company based in San Francisco, California, and currently is the founder and CEO of Luta Security.

Cris Thomas is an American cybersecurity researcher, white hat hacker, and award winning best selling author. A founding member and researcher at the high-profile hacker security think tank L0pht Heavy Industries, Thomas was one of seven L0pht members who testified before the U.S. Senate Committee on Governmental Affairs (1998) on the topic of government and homeland computer security, specifically warning of internet vulnerabilities and claiming that the group could "take down the internet within 30 minutes".

Alex Stamos is an American computer scientist and adjunct professor at Stanford University's Center for International Security and Cooperation. He is the former chief security officer (CSO) at Facebook. His planned departure from the company, following disagreement with other executives about how to address the Russian government's use of its platform to spread disinformation during the 2016 U.S. presidential election, was reported in March 2018.

Log4Shell (CVE-2021-44228) is a zero-day vulnerability in Log4j, a popular Java logging framework, involving arbitrary code execution. The vulnerability had existed unnoticed since 2013 and was privately disclosed to the Apache Software Foundation, of which Log4j is a project, by Chen Zhaojun of Alibaba Cloud's security team on 24 November 2021. Before an official CVE identifier was made available on 10 December 2021, the vulnerability circulated with the name "Log4Shell", given by Free Wortley of the LunaSec team, which was initially used to track the issue online. Apache gave Log4Shell a CVSS severity rating of 10, the highest available score. The exploit was simple to execute and is estimated to have had the potential to affect hundreds of millions of devices.

References

↑ "L0pht in Transition". April 2007. Retrieved Nov 26, 2012.
↑ Fitzgerald, Michael (2007-04-22). "PROTOTYPE; To Find the Danger, This Software Poses as the Bad Guys". The New York Times. Retrieved 2012-11-26.
↑ "Weak computer security in government: Is the public at risk?". May 19, 1998. Retrieved Nov 26, 2012.
↑ "CA Technologies to Acquire Veracode". Reuters. Mar 6, 2017.
↑ "Veracode Acquired for $950M as Broadcom Closes CA Acquisition". November 5, 2018.
↑ "Veracode co-founder joins board of 'people analytics' startup Humanyze". Mar 29, 2018.
↑ "100 Most Influential People in IT". eWEEK. Retrieved 2018-11-22.
↑ "2008 InfoWorld CTO 25: Chris Wysopal, Veracode | InfoWorld | Award | 2008-06-02 | By Doug Dineley". 2008-06-07. Archived from the original on 2008-06-07. Retrieved 2018-11-22.
↑ "SANS Institute". www.sans.org. Retrieved 2018-11-22.
↑ Whiting, Rick. "The Top 25 Disrupters Of 2013". CRN. Retrieved 2018-11-22.
↑ "Reboot 25: Thought leaders - SC Magazine". www.scmagazine.com. Archived from the original on 2015-01-08.
↑ Mitchell, Billy (2023-11-15). "Announcing the winners of the 2023 CyberScoop 50". CyberScoop. Retrieved 2023-11-29.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[LiT-1] "L0pht in Transition". April 2007. Retrieved Nov 26, 2012.

[2] Fitzgerald, Michael (2007-04-22). "PROTOTYPE; To Find the Danger, This Software Poses as the Bad Guys". The New York Times. Retrieved 2012-11-26.

[3] "Weak computer security in government: Is the public at risk?". May 19, 1998. Retrieved Nov 26, 2012.

[4] "CA Technologies to Acquire Veracode". Reuters. Mar 6, 2017.

[5] "Veracode Acquired for $950M as Broadcom Closes CA Acquisition". November 5, 2018.

[6] "Veracode co-founder joins board of 'people analytics' startup Humanyze". Mar 29, 2018.

[7] "100 Most Influential People in IT". eWEEK. Retrieved 2018-11-22.

[8] "2008 InfoWorld CTO 25: Chris Wysopal, Veracode | InfoWorld | Award | 2008-06-02 | By Doug Dineley". 2008-06-07. Archived from the original on 2008-06-07. Retrieved 2018-11-22.

[9] "SANS Institute". www.sans.org. Retrieved 2018-11-22.

[10] Whiting, Rick. "The Top 25 Disrupters Of 2013". CRN. Retrieved 2018-11-22.

[11] "Reboot 25: Thought leaders - SC Magazine". www.scmagazine.com. Archived from the original on 2015-01-08.

[12] Mitchell, Billy (2023-11-15). "Announcing the winners of the 2023 CyberScoop 50". CyberScoop. Retrieved 2023-11-29.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

[11]

[12]

v t e L0pht Heavy Industries
People	DilDog Kingpin Mudge Space Rogue Weld Pond
Tools	L0phtCrack Hacker News Network
Associated organizations	@stake Cult of the Dead Cow

Authority control databases
International	ISNI VIAF
National	Israel United States Korea
Other	IdRef

Chris Wysopal

Born	(1965-12-01) 1 December 1965 (age 58) New Haven, Connecticut, US
Citizenship	American
Alma mater	Rensselaer Polytechnic Institute
Occupation(s)	Entrepreneur, CTO, Security researcher
Known for	Software Security
Spouse	Debra Wysopal m. 2008
Children	3